We have public IP address hosted on FreeBSD router. We have also a lot of service running inside our LAN network, some of our services need to be accessible outside our home network trough public IP address.
Until now I did it forwarding specific ports to specific local ip address. Sample (for Terminal Server i Forwarded port 2305 to local ip server on port 3389, and it is working perfectly when someone call remote desktop connection on "MYpublicIPadres:2305" get access to my Terminal Server.
What I want to do is:
Some how to secure access to that service by specific client (machine or network). Is there a way to I allow access to only specific users (by MAC address or something else) to my service.
What I did already is make VPN server-client connection but that method do not offer me a lot.
I also can restrict access by specific ip address but most of my clients do not have static public IP address, they coming from DSL connections with different IP addresses each time.
If this is not possible done by using FreeBSD do I have alternatives like IPCOP or something similar to FreeBSD.
Edit: VPN Issues
As You mentioned already that I should go with VPN solution here is issues that I faced
- I am using sample VPN client build inside Windows OS and that allowing that client can set up VPN from any computer machine (Story Behind: I have department outside our network and I want to be sure that for specific service access only can be madded from department.)
- When Client call VPN connection it lose connection with other world and a lot of clients want to have bout access to my services and to other internet resources.
Answer
If you can't secure the service itself a VPN or SSH tunnel is really your best option here.
Since your clients don't have static public IPs you can't restrict by IP, and if clients are coming in over the internet you won't be able to determine their MAC addresses (lost at the first hop).
You could consider something like port knocking for controlling access to the service (google "port knocking" - the first few links are pretty useful for explanation and examples).
Similar stuff can also be rigged up with a web server script & helper programs where you can "authorize" access from an IP for a certain period of time, potentially with something more complex than port knocking, but these implementations are only as secure as the underlying code)
No comments:
Post a Comment